Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-mpls-11: (with DISCUSS and COMMENT)
Balázs Varga A <balazs.a.varga@ericsson.com> Wed, 09 September 2020 15:13 UTC
Return-Path: <balazs.a.varga@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F1D53A0D82; Wed, 9 Sep 2020 08:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXozUy6YIGeF; Wed, 9 Sep 2020 08:13:33 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70044.outbound.protection.outlook.com [40.107.7.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D5513A0D77; Wed, 9 Sep 2020 08:13:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WGUqMG9L4D9nPHwI9/VhJ6xwOkj3wdsanBRPlNNXKGjSQdepiR0CTcfrfFI3twtlsWZ7o12a58vCRPTHiCVPdHw+aTC5eZQDOjT5y9BMA/NckJp9lMoZLP5JTZxpHjLNcFcj3MAZTmaNMvs+KYfLvrSh0RfuXxGUNy81x7yZmd3wqQVLJgMSVw0xNzYhv9UWTWsg2X/f4Le0Z+vtG00G62BWPiLcOrxhMZaTznIzoyDfA53e4UIrg5lsnIcqeFY8mTZxfijT39SxLHGbhUP0JItD9G+JJnbzf6TFibcByohKYeaxiL03s95I0mTEo0WseOo9qu7Dq+cgzGkcT46ugg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=29kuNAQG11KV+mtsowqwXsRD9bGADjy9L5FPUwYWUbk=; b=f2nS0fBZdpuuDyUwFUwt5ZoTJNJJogyB8A8YSEfktWXwrOVdu7PLVXRUNuCrCw52iPv+358gGQi3aHeK5ZvbXRoorgXhAXfwIwAom7kiQTDPRZ+vo3MOtjBDX/RfRZOG30QOoUHa1LxQfMiF9ZysI1FQZ9l+NQImq2XJD02sUzMfYC/IxX3/GO6yOlMOFFgeW27Zro1Qk7JnHBz+4IFUzovhnvTOUPo6Rc/TWLMK8Vi4q66KtlrOaYIKsBUdscbGfM+XEVoz/fftEo+BUnx0AimDjwXSYWVPYm/+oO9PqY08djv5RaEemi9hhs+ZtSKQ+n1z4clxvjqnG1aEe/mbdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=29kuNAQG11KV+mtsowqwXsRD9bGADjy9L5FPUwYWUbk=; b=JY60Z0IKFt61HUogwqQvUJiFGdq2mHQ37Fw/dMWqk7K1u5L8xJjNueVAG3vht+F9oXBpks5833O7kW8pZgUyXJsRt+9+SAWz+xoxJLGSj9dIIl+SOqD0sooUEEGD2cl7Hva5zPiEy4+2Rbd07YW/7pJbdNxC/G8Y6KLuRLP38XI=
Received: from AM0PR0702MB3603.eurprd07.prod.outlook.com (2603:10a6:208:22::25) by AM4PR07MB3379.eurprd07.prod.outlook.com (2603:10a6:205:9::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.7; Wed, 9 Sep 2020 15:13:30 +0000
Received: from AM0PR0702MB3603.eurprd07.prod.outlook.com ([fe80::59ca:540d:b7f3:58b9]) by AM0PR0702MB3603.eurprd07.prod.outlook.com ([fe80::59ca:540d:b7f3:58b9%6]) with mapi id 15.20.3370.016; Wed, 9 Sep 2020 15:13:30 +0000
From: Balázs Varga A <balazs.a.varga@ericsson.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-detnet-mpls@ietf.org" <draft-ietf-detnet-mpls@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>, "detnet@ietf.org" <detnet@ietf.org>, Ethan Grossman <eagros@dolby.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-detnet-mpls-11: (with DISCUSS and COMMENT)
Thread-Index: AQHWhgtpVuSEnDpygE6NJwB6GW5+vqlgVh6Q
Date: Wed, 09 Sep 2020 15:13:30 +0000
Message-ID: <AM0PR0702MB3603A06B6D9ECC2B2BC1A540AC260@AM0PR0702MB3603.eurprd07.prod.outlook.com>
References: <159958865571.6798.11039232880316596486@ietfa.amsl.com>
In-Reply-To: <159958865571.6798.11039232880316596486@ietfa.amsl.com>
Accept-Language: hu-HU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [185.29.82.162]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 842d37c7-2a13-4142-351d-08d854d2e914
x-ms-traffictypediagnostic: AM4PR07MB3379:
x-microsoft-antispam-prvs: <AM4PR07MB3379C95C87E183E2F9133D37AC260@AM4PR07MB3379.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dJ/AYDp3BwZwGMN4UhvXlO7OGwf54VYJJe8KnXTDH2ve5GzvRY9wqGo6I+hnu0hm8CduEdsNBsD+ORVb29LFwwiH1POYI/x6POJIbPo9p8UoUDVSiBpmeRDjpsJEeKOqUjxwjqrXaio98f7Qh0s0F/fT49HwL5r0ekiSETmpiz/UK2BdgJGyWtKmwBPxohXg1Ajx49aklcUUsBrpOllXhIGjJL20o/lWK8/0HMBc55JoiBu4mfw95kFTspS2O5OR9rJNCijySQbFKVG+keBIb2QcfvaCj/t9zmkduo9iyT3xb+5HsEERJAcENEWD9WE2uB2rLt3Fd0jwGUlrVim2H8rHOicyhO1C8XisekoamKfSf85Kv5eQRRwcy3ChcQvJp0S1FywXtZ7JIYbpdJ/4+w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0702MB3603.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(136003)(39860400002)(396003)(376002)(478600001)(966005)(21615005)(8676002)(7696005)(66446008)(64756008)(76116006)(5660300002)(4326008)(110136005)(66946007)(85202003)(66476007)(66556008)(85182001)(186003)(316002)(166002)(8936002)(2906002)(53546011)(55016002)(9686003)(54906003)(9326002)(86362001)(33656002)(66574015)(26005)(6506007)(71200400001)(83380400001)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: KE1fqWMzym4oNzwSBd3/s/HJ59k8jBCXGGQ5tYWoixfCJVi5A0rAOIWsxCS86ExIuqFtiRMdWf1th7AqbLew/N6FoKZ/XIeIU7K+XzukT8z/jt//R6KMyZs8dyoVIxEK6+39fODMiS0dWTzHca3LS/ifWkq4Z63VGFZU5kgGts3X02lAbfkFIrsdYvMA/632t9G916wQN81vDb640ZNMjPzv54TGJBE11dz3wHBAwQsX+0J6RZxYBq0dpCDqoxaSDMu4ic43z2zp3JWA+g4LX/HDgG83mUYK9HzyJtQh7KHttOTin+x03v60N7fAEu6mpNliVipDmx+AP6mVyW/txVGJLgO923s9YZcIy7Azfdn2t1rVwSrUr56v2TTZtaSValQT1njNhF6+dg7EXru4c8qWu7E8mb4vjd4V5pVVLGoeRNa08tK1Z6w2Nk9CwaJCvb4wreyClL0+0s7zAPJvVRN6NURh0g90X3egSqbu1m7UKko2MZK2RTu48W5XjCRyEctM/45JqOX6jXphqfBHNSEvNzwiDmKmoniTyUKMSrMAN6VrW1D403zUpP5PRaiLBrTgrdjtjwI4fY5GJuMNuGc2a/S3sN7QtzZgttN04O/YRu/ypNmbffESiD+UUk9/m+lxAtu6tkjLrwnP4Ok1Wg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR0702MB3603A06B6D9ECC2B2BC1A540AC260AM0PR0702MB3603_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0702MB3603.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 842d37c7-2a13-4142-351d-08d854d2e914
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2020 15:13:30.1986 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6Pnx/rFF70oyNjAnKlbJ2y+2BrLZ5BVoiDA9ejtTvsOrDs2Wc+sCeO3y88O/5Q1v16qz4qAd9PpFVuomLK8LKCkSUCQl1XPlCsiFmGkPbfo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB3379
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/uf_n3vMTBbZnG5TwGcN2XaojN_Y>
Subject: Re: [Detnet] Roman Danyliw's Discuss on draft-ietf-detnet-mpls-11: (with DISCUSS and COMMENT)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 15:13:37 -0000
Hi Roman, Many thanks for the review. My comments/replies inline. Thanks & Cheers Bala'zs -----Original Message----- From: Roman Danyliw via Datatracker <noreply@ietf.org> Sent: Tuesday, September 8, 2020 8:11 PM To: The IESG <iesg@ietf.org> Cc: draft-ietf-detnet-mpls@ietf.org; detnet-chairs@ietf.org; detnet@ietf.org; Ethan Grossman <eagros@dolby.com>; eagros@dolby.com Subject: Roman Danyliw's Discuss on draft-ietf-detnet-mpls-11: (with DISCUSS and COMMENT) Roman Danyliw has entered the following ballot position for draft-ietf-detnet-mpls-11: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-detnet-mpls/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- ** (Discuss-discuss) Section 6. Per “To prevent DetNet packets from being delayed by an entity external to a DetNet domain, DetNet technology definition can allow for the mitigation of MiTM attacks, for example through the use of authentication and authorization of devices within the DetNet domain”, can this attack scenario or the appropriate mitigation be clarified. If packets are coming from or going across the DetNet boundary how can any assurances be made? What is architecture element is the “MiTM” (relay? transit? per Figure 2)? <Bala'zs> See, Stewarts reaction. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** Section 4.2.2. To confirm, if ACH and GAL are used instead of d-CW, then only 16-bit sequence numbers are supported? <Bala'zs> OAM is covered in https://datatracker.ietf.org/doc/draft-ietf-detnet-mpls-oam/. ** Section 6. Per “Achieving such loss rates and bounded latency may not be possible in the face of a … Internet Thread Model BCP72”, I concur with this analysis. However, as the applicability statement of DetNet is not the internet, but (I thought) enterprise IT and OT networks, it might worth reiterating this reduced scope and framing this text around the attacker capabilities. <Bala'zs> OK. Do You have a proposed text? ** Section 6. Per the reduced scope attacker being capable of “control[ing] a network node within the boundary of the DetNet domain”, are these nodes in question limited to end systems, or would they also include relay/transit nodes (per Figure 2)? If it is the latter, then these seem like they would have the ability to arbitrarily drop or delay packets cross their paths just like a BCP72 attacker, so why make the distinction? If it is the former, then the paragraph after this one suggesting IPSec and MacSec doesn’t seem to be mitigating a threat posed by a compromised end system. <Bala'zs> It depends on the network scenario, whether the end host is MPLS capable and it is part of the DetNet network. So both applies. ** Section 6. Per “The primary consideration for DetNet data plane is to maintain integrity … and delivery …”, this framing suggests that integrity and availability are the key concerns. However, the paragraph prior, seemed to frame that only availability with the key issue. <Bala'zs> Right. Integrity is a consideration like other flows, they are not DetNet specific. I will fix this sentence. ** Section 6. Per “Application flows can be protected through whatever means are provided by the underlying technology”, what is the scope of “underlying technology”, is that an application concern? Or a DetNet data or control plan concern? The text isn’t clear on who’s responsibility it is to provide these services (IPSec or MacSec), or what assumptions the application can make? IMO, the clearer statement to make is that MPLS doesn’t provide any native security services to account for confidentiality and integrity. <Bala'zs> Right. I will fix this sentence with your suggested clearer statement. ** Section 6. Per “From a data plane perspective this document does not add or modify any header information.”, to be clear, does this text mean “_application_ header information”? I’d recommend being clear. <Bala'zs> Thanks, I will fix this. ** Section 6. Please s/for the mitigation of Man-In-The-Middle attackers/for the mitigation of on-path attackers/ <Bala'zs> Thanks, I will fix this. ** Editorial Nits: <Bala'zs> Thanks, I will fix them. Section 1. Editorial. s/different network technologies is/different network technologies are/ Section 2.1. Editorial. S-Label definition. Doesn’t “… that implement also the DetNet service sub-layer functions” say the same things as “An S-Label is also used to identify a DetNet flow at DetNet service sub-layer …”? I’m not sure you need the “… that implement [sic] also the DetNet …” phrase at the end of the first sentence. Section 4.1. Editorial. This section opens with a list of 6 requirements. The paragraphs below this list begin explaining how these requirements are met. It was helpful that the text explicitly called out how “(1) and (2) in the list above” were satisfied. This convention was not followed for items 3 – 6. Section 4.2.1. Editorial. Explain “S/N” (Sequence Number) on first use. Section 4.3. Editorial. s/0X1/0x1/ Section 4.4. s/this documents/this document/ Section 5.2. Typo. s/paramters/parameters/ Section 6. Typo. s/the the/the/
- [Detnet] Roman Danyliw's Discuss on draft-ietf-de… Roman Danyliw via Datatracker
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Stewart Bryant
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Roman Danyliw
- Re: [Detnet] Roman Danyliw's Discuss on draft-iet… Balázs Varga A